Merge "Add release note and fix some TODO from system scope support"

2021-02-19 03:56:36 +00:00 · 2021-02-19 03:56:36 +00:00 · 34743b278c
commit 34743b278c
parent 1ae5f72750 32e0557808
4 changed files with 61 additions and 0 deletions
--- a/releasenotes/notes/support-for-rbac-new-scope-6ec8164ce1e7288c.yaml
+++ b/releasenotes/notes/support-for-rbac-new-scope-6ec8164ce1e7288c.yaml
@ -0,0 +1,13 @@
+---
+prelude: >
+    Support for RBAC new system scope is added in Tempest.
+features:
+  - |
+    Keystone provides the new scoped token called ``system`` which
+    can be used to query the system scoped API operation. Projects
+    are moving towards the policy with new scope types, Keystone, Nova
+    already provide the new policy for RBAC checks. Tempest has added
+    the support to query the system scoped token from keystone to test
+    the new policy.
+    As next step, we will be moving all the Tempest tests on the project's
+    new policy.
--- a/tempest/lib/common/cred_provider.py
+++ b/tempest/lib/common/cred_provider.py
@ -59,6 +59,42 @@ class CredentialProvider(object):
    def get_alt_creds(self):
        return

+    @abc.abstractmethod
+    def get_system_admin_creds(self):
+        return
+
+    @abc.abstractmethod
+    def get_system_member_creds(self):
+        return
+
+    @abc.abstractmethod
+    def get_system_reader_creds(self):
+        return
+
+    @abc.abstractmethod
+    def get_domain_admin_creds(self):
+        return
+
+    @abc.abstractmethod
+    def get_domain_member_creds(self):
+        return
+
+    @abc.abstractmethod
+    def get_domain_reader_creds(self):
+        return
+
+    @abc.abstractmethod
+    def get_project_admin_creds(self):
+        return
+
+    @abc.abstractmethod
+    def get_project_member_creds(self):
+        return
+
+    @abc.abstractmethod
+    def get_project_reader_creds(self):
+        return
+
    @abc.abstractmethod
    def clear_creds(self):
        return
--- a/tempest/lib/common/dynamic_creds.py
+++ b/tempest/lib/common/dynamic_creds.py
@ -405,12 +405,18 @@ class DynamicCredentialProvider(cred_provider.CredentialProvider):
                         " credentials: %s", credentials)
        return credentials

+    # TODO(gmann): Remove this method in favor of get_project_member_creds()
+    # after the deprecation phase.
    def get_primary_creds(self):
        return self.get_credentials('primary')

+    # TODO(gmann): Remove this method in favor of get_project_admin_creds()
+    # after the deprecation phase.
    def get_admin_creds(self):
        return self.get_credentials('admin')

+    # TODO(gmann): Replace this method with more appropriate name.
+    # like get_project_alt_member_creds()
    def get_alt_creds(self):
        return self.get_credentials('alt')

--- a/tempest/lib/common/preprov_creds.py
+++ b/tempest/lib/common/preprov_creds.py
@ -308,6 +308,8 @@ class PreProvisionedCredentialProvider(cred_provider.CredentialProvider):
        self.remove_hash(_hash)
        LOG.info("%s returned allocated creds:\n%s", self.name, clean_creds)

+    # TODO(gmann): Remove this method in favor of get_project_member_creds()
+    # after the deprecation phase.
    def get_primary_creds(self):
        if self._creds.get('primary'):
            return self._creds.get('primary')
@ -315,6 +317,8 @@ class PreProvisionedCredentialProvider(cred_provider.CredentialProvider):
        self._creds['primary'] = net_creds
        return net_creds

+    # TODO(gmann): Replace this method with more appropriate name.
+    # like get_project_alt_member_creds()
    def get_alt_creds(self):
        if self._creds.get('alt'):
            return self._creds.get('alt')
@ -408,6 +412,8 @@ class PreProvisionedCredentialProvider(cred_provider.CredentialProvider):
        for creds in self._creds.values():
            self.remove_credentials(creds)

+    # TODO(gmann): Remove this method in favor of get_project_admin_creds()
+    # after the deprecation phase.
    def get_admin_creds(self):
        return self.get_creds_by_roles([self.admin_role])